Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorization bypass in blade-gateway #8

Open
s31k31 opened this issue Jul 7, 2020 · 0 comments
Open

Authorization bypass in blade-gateway #8

s31k31 opened this issue Jul 7, 2020 · 0 comments

Comments

@s31k31
Copy link

s31k31 commented Jul 7, 2020

src/main/java/org/springblade/gateway/filter/AuthFilter.java

isSkip() method in AuthFilter.java, url.replace(AuthProvider.TARGET, AuthProvider.REPLACEMENT)) is equal to url.replace("/**", ""), which is to remove /** in defaultSkipUrl then determines whether the path contains one of the URLs.

Note that contains is used, that is, path::contains, which means that as long as the incoming path contains the URL in /token or defaultSkipUrl, authorization can be bypassed.

You can use the URL parsing feature to add ;%2ftoken after the request to be considered that the Url contains the /token, and the route can be correctly resolved by the gateway, resulting in unauthorized access.

image

The origin without Blade-Auth is blocked.
http://localhost/blade-gateway/discovery/instances
image

Add %2ftoken to the end of the URL to bypass authorization.
http://localhost/blade-gateway/discovery/instances;%2ftoken
image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@s31k31